[PDF] GDPR - Consumers International

PDF document for free

1. PDF document for free

159803_10gdpr_briefing.pdf

The state of data protection

rules around the world

A briefing FOR CONSUMER

ORGANISATIONS

As the strongest data protection laws to date come into force for citizens in the European Union, Consumers International looks at the key components of the new EU General Data Protection Regulation and takes a snapshot of data protection regulations for consumers across the globe. Consumers International is the membership organisation for consumer groups around the world. It is a charity (No.1122155) Ƥ registered in England and Wales. What is the EU General Data Protection Regulation? ŭ previous minimum standards for processing data provided in the Data Protection Directive of 1995 1 . Though

many of the main concepts and principles from the Directive underpin the GDPR, there are critical updates

intended to address the implications of the digital age and the ways in which consumers' and citizens' data is

collected, analysed and transmitted by new types of business practices and models, such as social networks,

mobile applications and e-commerce.

For the consumer, GDPR has strengthened rights. Individuals now have the power to demand companies reveal or delete the personal data they hold.

For regulators, GDPR makes provisions which stipulate that data protection law will become identical throughout all EU member states. This should encourage partnership working and create a more harmonious environment for regulators, who previously worked independently and had to launch separate actions in each jurisdiction.

GDPR requires businesses to be more accountable to the people whose data they collect and imposes much tougher punishments for those who fail to comply. All businesses handling EU citizens' data, whether based in the EU or ɄƤɄƅŭ

The main changes in more detail

The internet has made it easy to access information by visiting a website, or to buy goods and services at the

touch of a button. But most consumers aren't always fully aware that in doing this, the organisations they deal with

online are collecting vast amounts of personal data about them. This can be in the form of obvious things like your

name and address, to tracking your browsing behaviour, location and inferring your preferences from this. This

data is then used by companies in everything from sales to customer relationship management to marketing. The

ease and sophistication of data collection means that thousands of compa nies not only collect personal details,

but store it in often insecure locations, share it with third parties or move this data across borders to support their

businesses. In addition, their business models rely on selling access to this data to advertisers who then target

consumers with 'tailored' (or creepy) advertising.

With many security breaches now well publicised by the media, consumers are increasingly becoming aware

about what happens to their data and have looming privacy concerns about what is being stored and processed,

and by who. Policy makers and regulators have recognised the lack of protection offered by the former Directive

in this area and have updated GDPR to rectify it. For example, a key component of GDPR is the requirement for

consent, which must be an active agreement by the data subject, rather than the current models offered through

pre-ticked boxes or opt-outs. It also puts obligations on businesses to carry out Privacy Impact Assessments

for certain data use cases. This will have the effect of enabling businesses to consider more holistically what

the organisation is doing with the data it collects and the impact it could ha ve on people's privacy - giving

them a chance to look across the piece at what they are collecting and why. Another key feature is privacy by

design, which forces a company to design their data collection and processing methods in accordance with data

protection law. In other words, they will need to ensure their data protection policies, structure and personnel are

compliant. Ƥ

erased ie where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there's no

legitimate interest, or if it was unlawfully processed. In this instance the controller and the people they have

some cases, individuals have the right not to be subject to decisions based on automated processing without

any human intervention 1 EU, Rules for the protection of personal data inside and outside the EU

GDPR will

replace the EU's previous data law adopted in

1995 - before

Google was

even registered as a domain name. Ʉ

analyse bank transaction data for spending patterns and insights, or to move contacts from one network to

another.

ŭinformation, what purposes they use it for, and the ways in which they process the data. This must be done in clear, easy to understand language.

any information a company holds on them within one month of asking. They can also ask for that data, if Ƥ

Ƥŭbreaches as soon as they happen. Companies must alert both their data protection authority and the people incident recovery plan proposal for mitigating its effects.

ƤƤand customers with data protection queries. ŭ

What is happening across the world?

Concern about how much data is collected, loss of privacy, security risks and other 2 . The GDPR is now the strongest data protection regime in the world, leading many to hope that it will set a 'gold standard' for other jurisdictions. The requirement on companies that process EU citizens' data to abide by the regulation regardless of location, adds weight to this and could be used as leverage by citizens of other countries, particularly where company activity crosses borders. That is the hope for the future - but what is the current status of data protection laws across the world?

Globally, there is an increasing growth in data protection laws, many of which have been modelled on

comprehensive guidelines or regulation such as the EU Directive mentioned above, or the OECD Guidelines on

the Protection of Privacy and Transborder Flows of Personal Data . According to UNCTAD data protection tracker

countries across the globe have full or draft data protection legislation in place, based on this tracker.

Africa

ɄɄɄɄ

ɄɄɄɄ

As a continent, the African Union adopted the progressive Ʉ

Convention on Cyber Security and Personal Data

protectionɄ Ʉ

ƤɄ

convention.

Regionally, there is effort to ensure data protection within regional blocs. For example the Southern African

Development Community (SADC) has developed aɄmodel law harmonising policies for the ICT Market in Sub

Ʉ

Ʉ. Finally

2 Centre for Internet Governance Innovation - Ipsos, ‘ŭ  3)'( OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Data Protection and Privacy Legislation Worldwide

A key component

of GDPR is the requirement for consent, which must be an active agreement by the data subject.

several Francophone countries (Benin, Burkina Faso, Ivory Coast, Gabon, Mali, Morocco, Senegal and Tunisia)

are part of the French-Speaking Association of Personal Data Protection Authorities (AFAPDP) which promotes

personal data protection principles and rules in French-speaking countries. Ƥ 5 Ƥ

organizations to report an 'eligible data breach' to the data protection authority and notify affected customers

ŭ

Privacy Act

ɄŬŭ

ŬŭɄ

Pakistan, Thailand), while the others either have none or have provided no data. Ƥ (APEC) Privacy Framework which aims to

Privacy Rules (CBPR) system has been forged out of this framework. Unlike GDPR the CBPR system does not

displace or change a country's domestic laws and regulations.

The Americas and the Caribbean

Tobago, Nicaragua, Costa Rica, Colombia, Peru, Bolivia, Chile, Argentina, Paraguay, Uruguay, Bahamas, Dominican

none or had no data available to determine whether one was in place. Ƥ

Framework.

This Framework was designed by the US Department of Commerce and the European Commission

to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection

requirements when transferring personal data from the European Union to the United States in support of

transatlantic commerce.

ɄɄ

Ʉ Ʉ

ɄɄɄ

ŭ

Latin America and the Caribbean stated that consumers very rarely understand and have control over how their

data is collected, stored and used. 5 Austrialian Government,

The Privacy Act

Cross-Border Privacy Rules (CBPR) System

EU-U.S. Privacy Shield

Moving forward to a coherent global position?

The sheer increase in data protection laws across the world is testament to data protection's rising importance on the global agenda. In spite of this, there is still more that needs to be done. In an ideal world data protection would be harmonised across continents to ensure a more comprehensive and coherent global policy on Ʉ ƥ can implement data protection requirements, and reduces confusion when data protection issues arise between countries. Some countries have already started to do this by aligning with robust data privacy frameworks like the OECD guidelines or GDPR, but these are not widespread. The only non-EU countries that have data protection laws considered adequate by the EU are data protection laws off the OECD Guidelines.

So, while the GDPR may be held up as a new gold standard, it could be ambitious to assume that others will reach

it any time soon, considering that many countries across the globe are yet to put data protection laws in place or

Ƥ

The selection of components of strong online privacy and data protection rights below shows the scale of

the challenge for middle and low income countries, particularly where obligations on service providers were

complicated by the issue of data control across borders.

Establishment of state and regional mechanisms that strengthen data protection frameworks such as oversight from independent bodies

A move away from a patchwork of sector-based regulation towards single legislative dataprotection mandate to protect individuals' privacy

Ƥ Ƥ

A consent-based model for data protection regulation where data is regulated on the basis of general data protection principles across industry sectors without distinction.

Data portability which will take into consideration the extraterritorial nature of data collection and transmission

Data subject rights such as right to be forgotten etc Consumers International research found that capacity of policy makers, resources for monitoring and enforcement systems and the political climate around national security Ƥ where data is included in trade negotiations, there will be pressure to harmonise down as protection is often seen as a barrier to trade. 9 There was also concern that taking 'legislative shortcuts' such as copying data protection clauses from other countries, may not work as they have different enforcement or market surveillance infrastructure or could even be affected by different cultural norms. 9

Consumers International blog, Why global e-commerce talks will have wide implications for consumer rights and privacy,

 Consumers International,

In 2016, 57%

of consumers worldwide reported that they were more concerned about their online privacy than they were in 2014.

Outside the EU,

very few countries have data privacy frameworks that are aligned with

OECD guidelines or

GDPR.

Key facts and further reading on GDPR

What is personal data?

ŬɄƤƤ

Ƥ data'. Examples include name and surname, a home address, an email address, etc 11

What is data protection?

ŰƤƤ

person, including names, dates of birth, photographs, video footage, email addresses and telephone numbers.

Other information such as IP addresses and communications content - related to or provided by end-users of

communications services - are also considered personal data". 12

Data privacy, or data protection, laws regulate the use of 'personal data' by organisations to protect certain rights

of individuals - organisations are not free to use personal data at will.

Who needs to abide by GDPR?

'A controller determines the purposes and means of processing personal data. A processor is responsible

Ƥ

obligations on you; for example, you are required to maintain records of personal data and processing activities.

You will have legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved

of your obligations where a processor is involved - the GDPR places further obligations on you to ensure your

contracts with processors comply with the GDPR.' R eferences

What is personal data?

Data Protection and Privacy Legislation Worldwide

Ƥ

History of the GDPR

General Data Protection Regulation (GDPR) CI other blog on GDPR

Consumers International

Consumers International,

11 EU, What is personal data? 12 European Data Protection Supervisor, Data Protection ISO, Who does the GDPR apply to?

Law Documents PDF, PPT , Doc

[PDF] attitude towards law

1. Social Science

2. Law

3. Law

[PDF] attitude towards law enforcement

[PDF] beneath define

[PDF] beneath law

[PDF] beneath law definition

[PDF] beside law meaning

[PDF] besides law and order

[PDF] besides law meaning

[PDF] beyond law clc

[PDF] beyond law jobs

12345 Next 200000 acticles